#!/bin/bash

# Copyright 2017-2021 NXP
#
# SPDX-License-Identifier: BSD-3-Clause

# signing images for secure boot


secure_sign_image() {
    # $1: <machine>,  $2: <boottype>
    [ ! -f $FBDIR/configs/board/$1.conf ] && echo $FBDIR/configs/board/$1.conf not exist! && exit
    [ -f $PKGDIR/apps/security/cst/uni_sign ] || bld cst
    [ $MACHINE = ls1012afrwy ] && secfile=IMG7 || secfile=IMG4
    if ! grep -q ${secfile}_FILE_${2}_sec $FBDIR/configs/board/$1.conf; then exit; fi
    . $FBDIR/configs/board/$1.conf

    [ -f $FBOUTDIR/$distro_bootscript ] || bld distroscr -m $1 -a $DESTARCH
    [ "$IMA_EVM" = y -a ! -f $FBOUTDIR/$bootscript_enforce ] && bld distroscr -t -m $1
    [ "$ENCAP" = y -a ! -f $FBOUTDIR/$bootscript_dec ] && bld distroscr -e -m $1

    [ ! -f $kernel_img ] && echo $kernel_img not exist, generating it ... && \
    bld linux -p $SOCFAMILY -a $DESTARCH

    [ ! -f $tiny_itb ] && bld itb -r poky:tiny -a $DESTARCH -p $SOCFAMILY

    fbprint_n "Signing $2boot images for $1 ..."
    [ "$ENCAP" = y ] && cp $FBOUTDIR/$bootscript_dec $PKGDIR/apps/security/cst/bootscript_dec && echo "Copying bootscript_decap"

    if [ "$IMA_EVM" = y ]; then
	[ -f $FBOUTDIR/images/initramfs_imaevm_${DESTARCH}.img ] || \
	bld rfs -r buildroot:imaevm -a $DESTARCH
	cp -f $FBOUTDIR/images/initramfs_imaevm_${DESTARCH}.img $PKGDIR/apps/security/cst/initramfs.img && echo "Copying initramfs.img"
	cp -f $FBOUTDIR/$bootscript_enforce $PKGDIR/apps/security/cst/bootscript_enforce && echo "Copying bootscript_enforce"
    fi

    cd $PKGDIR/apps/security/cst && \
    rm -f bootscript uImage.dtb uImage.bin kernel.itb secboot_hdrs*.bin hdr*.out && \
    cp -f $FBOUTDIR/$distro_bootscript bootscript && echo "Copying bootscript" && \
    cp -f $FBOUTDIR/$device_tree uImage.dtb && echo "Copying dtb" && \
    cp -f $tiny_itb kernel.itb && echo "Copying linux tiny itb" && \
    cp -f $kernel_img uImage.bin && echo "Copying kernel" && cd -

    rcwimg_sec=`eval echo '${'"rcw_""$2"'_sec}'`
    rcwimg_nonsec=`eval echo '${'"rcw_""$2"'}'`
    if [ -z "$rcwimg_nonsec" ] || ! echo $rcwimg_nonsec | grep -q $1; then
	echo ${2}boot on $1 is not supported && return
    fi

    # for platform without ATF support
    if [ ${1:0:7} = ls1021a ]; then
	ubootimg_sec=`eval echo '${'"COMPOSITE_IMG1_FILE_""$2"'_sec}'`
	[ -f $FBOUTDIR/$ubootimg_sec ] || bld u-boot -m $1 -b $2
	if [ $2 = nor ]; then
	    cp $FBOUTDIR/$ubootimg_sec $PKGDIR/apps/security/cst/u-boot-dtb.bin
	elif [ $2 = sd ]; then
	    cp -f $FBOUTDIR/$ubootimg_sec $PKGDIR/apps/security/cst/u-boot-with-spl-pbl.bin
	    cp -f $FBOUTDIR/$uboot_spl $PKGDIR/apps/security/cst/u-boot-spl.bin
	    cp -f $FBOUTDIR/$uboot_dtb $PKGDIR/apps/security/cst/u-boot-dtb.bin
	fi
    fi

    [ -f $pfe_fw ] || bld pfe_bin
    [ ${1:0:7} = ls1012a ] && cp $pfe_fw $PKGDIR/apps/security/cst/pfe.itb && echo "Copying PFE"

    if [ ${1:0:7} = ls1088a -o ${1:0:7} = ls2088a -o ${1:0:5} = lx216 ]; then
	[ -f $FBOUTDIR/$COMPOSITE_IMG11_FILE ] || bld mc_bin
	[ -f $FBOUTDIR/$COMPOSITE_IMG13_FILE ] || bld mc_utils
	cp -f $FBOUTDIR/$COMPOSITE_IMG11_FILE $PKGDIR/apps/security/cst/mc.itb
	cp -f $FBOUTDIR/$COMPOSITE_IMG12_FILE $PKGDIR/apps/security/cst/dpl.dtb
	cp -f $FBOUTDIR/$COMPOSITE_IMG13_FILE $PKGDIR/apps/security/cst/dpc.dtb
    fi
    mkdir -p  $FBOUTDIR/bsp/secboot_hdrs/$1
    cd $PKGDIR/apps/security/cst
    if [ $2 = nand -a -n "$nand_script" ]; then
	. $nand_script
    elif [ $2 = sd -o $2 = emmc ] && [ -n "$sd_script" ]; then
	. $sd_script
    elif [ $2 = nor -a -n "$nor_script" ]; then
	. $nor_script
    elif [ $2 = qspi -a -n "$qspi_script" ]; then
	. $qspi_script
    elif [ $2 = xspi -a -n "$xspi_script" ]; then
	. $xspi_script
    fi

    if [ ${1:0:7} = ls1028a ]; then
	cp -f $PKGDIR/apps/security/cst/secboot_hdrs.bin $FBOUTDIR/bsp/secboot_hdrs/$1/secboot_hdrs_${2}boot.bin
    else
	cp -f $PKGDIR/apps/security/cst/secboot_hdrs_${2}boot.bin $FBOUTDIR/bsp/secboot_hdrs/$1
    fi

    if [ ${1:0:7} = ls1021a -a $2 = sd ]; then
	cp -f $PKGDIR/apps/security/cst/u-boot-with-spl-pbl-sec.bin $FBOUTDIR/$ubootimg_sec
    fi

    cp -f $PKGDIR/apps/security/cst/hdr_dtb.out $FBOUTDIR/bsp/secboot_hdrs/$1
    cp -f $PKGDIR/apps/security/cst/hdr_linux.out $FBOUTDIR/bsp/secboot_hdrs/$1
    [ $1 = ls1012afrwy ] && cp $PKGDIR/apps/security/cst/hdr_kernel.out $FBOUTDIR/bsp/secboot_hdrs/$1
    cp  $PKGDIR/apps/security/cst/hdr_bs.out $FBOUTDIR/bsp/secboot_hdrs/$1/hdr_${1}_bs.out
    [ "$ENCAP" = y ] && cp -f $PKGDIR/apps/security/cst/hdr_bs_dec.out \
    $FBOUTDIR/bsp/secboot_hdrs/$1/hdr_${1}_bs_dec.out
    if [ "$IMA_EVM" = y ]; then
	cp -f $PKGDIR/apps/security/cst/hdr_bs_enf.out $FBOUTDIR/bsp/secboot_hdrs/$1/hdr_${1}_bs_enf.out
	cp -f $PKGDIR/apps/security/cst/hdr_initramfs.out $FBOUTDIR/bsp/secboot_hdrs/$1/
    fi

    fbprint_d "sign image for $1 ${2}boot"
}

